The past few years have seen an ever-increasing level of attacks on computer systems and servers. Malicious hackers spend hours on end trying to identify security holes via which they can embed viruses, Trojans, etc. Almost as soon as an operating system (OS) vendor publishes a security patch to defeat a particular attack scheme, the hackers have figured out another way to defeat the software. Once viruses and the like appear on servers, an entire network of computers is susceptible to attack by those viruses.
In addition to malicious attacks in which the intent is to cause widespread system damage, networks are also prone to security breaches that enable data to be “stolen.” For example, recent attacks have been made on various electronic storefront servers to steal credit card information and other user information. These types of attacks have lead to an escalating need for substantially improved security measures.
In view of the severity and frequency of the foregoing, a new direction has been proposed to replace today's security paradigm. A more proactive approach to security is presently being designed into the next generation of operating systems, which are referred to as trusted operating systems (TOS), secure operating systems (SOS), and secure and trusted operating systems (STOS). As stated in an NSA Operating System Security Paper, NISSC, October 1998, “Current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems. In reality, the need for secure operating systems is growing in today's computing environment due to substantial increases in connectivity and data sharing. The threats posed by the modern computing environment cannot be addressed without secure operating systems. Any security effort which ignores this fact can only result in a ‘fortress built upon sand’.”
In contrast to today's scheme of security mechanisms layered over an unsecure core (e.g., a mainstream OS), the new approach begins with a trusted core that may only be accessed by users having appropriate security credentials. In this context, it is noted that users are not limited to humans, but rather also include programmatic entities such as software applications and the like. A chain of trust is maintained by the TOS or STOS to ensure that only trustworthy users may access secured portions of the OS, while other unsecure portions do not require the same level of authentication to access. The end result is that unqualified access is denied.
While efforts are being made to dramatically enhance operating system security, there are no commensurate endeavors that have been directed at system firmware. Although less susceptible to attacks than software, there are still situations under which system firmware may be attacked. In general, an attack may be direct (e.g., immediate deletion or corruption of critical BIOS components), or latent (e.g., a firmware Trojan to be activated at a future time). While operating systems attacks are generally somewhat recoverable, a firmware attack may be fatal. Consider, an errant operating system can be replaced, while errant firmware may totally disable a system or server.
Another aspect of firmware security relates to trusted processes. STOS's provide mechanisms to ensure all secure software processes are trusted. There are no equivalent mechanisms for ensuring firmware processes are trusted; as such, firmware is deemed to be untrustworthy. For example, various firmware architectures support “hidden” firmware operations during operating system runtime. Depending on the particular architecture, these runtime firmware operations may have access to all of a system's resources, including the full memory address space. Thus, malicious firmware may cause havoc to operating systems an/or applications by modifying (e.g., deleting, replacing) portions of memory that are thought to be secured by the TOS or STOS.